If you will be using the data elsewhere then use it when it is displayed
on the screen, or your other program will have to parse it.
It is a good idea to always run htmlspecialchars when outputting text to
the browser that came from a form.
-- Stewart
On Mon, 25 Feb 2002, Erik Price wrote:
> I was wondering if anyone could give me some advice in deciding the most
> appropriate time to use htmlspecialchars():
>
> When user input is accepted and error-checked and ready to be inserted
> into the database? Or when user input is pulled from the database and
> ready to be displayed to the screen?
>
> It seems that running htmlspecialchars() BEFORE the data goes into the
> database is the "safest" way to do it, so that potentially malicious
> characters and tags never actually make it past the script. But upon
> thinking about the implications of this, it strikes me that this will
> affect the integrity of my data -- ideally, I want to keep the data as
> "pristine" as possible while it is in the database, since it might end
> up being parsed by something other than a browser someday, in which case
> it would be best to leave the data as is.
>
> I'm leaning toward the second method, but I want to make sure that doing
> so won't expose me to any risks that I haven't considered. Please give
> me your thoughts on this.
>
>
> Erik
>
>
>
>
>
>
>
> Erik Price
> Web Developer Temp
> Media Lab, H.H. Brown
> [EMAIL PROTECTED]
>
>
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
